V7.1 Introduces Implementation Groups to the CIS Critical Security Controls™

The CIS Critical Security Controls (CIS Controls) are internationally-recognized cybersecurity best practices for defense against common threats.  They are a consensus-developed resource that brings together expert insight about cyber threats, business technology, and security. The CIS Controls are used by organizations with varying resources and risk exposure to build an effective cyber defense program. In our experience, however, organizations of every size and complexity still need more help to get started. To help, we developed the CIS Controls V7.1.

What’s new in V7.1:

  • Implementation Groups (IGs) – a new prioritization for the CIS Controls, at the Sub-Control level.
  • A detailed methodology to help organizations assess which IG they fall within.
  • Edits requested by the global community that clarify certain CIS Controls and Sub-Controls.

A new way to look at the CIS Controls

The IGs are self-assessed categories for organizations based on relevant cybersecurity attributes. Each IG identifies which CIS Controls, at the Sub-Control level, are reasonable for an organization with a similar risk profile and resources to implement. The IGs are a simple and accessible way to help organizations classify themselves and focus their security resources and expertise while leveraging the value of the CIS Controls best practices

To develop the IGs, we first identified a core set of Sub-Controls that organizations with limited resources, expertise, and risk exposure should focus on. This is IG1, which combines effective security value with technology and processes that are generally already available. IG1 also provides a basis for more tailored and sophisticated action in situations which call for it.

The CIS Sub-Controls in IG1 represent “Cyber Hygiene” – the essential protections that must be put into place to defend against common attacks. All organizations, regardless of which IG they are categorized as, would complete the Sub-Controls identified in IG1.

Each IG builds upon the previous one. IG2 identifies additional Sub-Controls for organizations with more resources and expertise than those in IG1, but also greater risk exposure. Finally, the rest of the Sub-Controls are included in IG3.


Cyber hygiene and beyond

Through the development of CIS Controls V7.1 and the Implementation Groups, businesses from around the world can more easily:

  • Create an effective cybersecurity program on a budget
  • Practice cyber hygiene with limited resources and expertise
  • Prioritize their cybersecurity efforts

To get started, download the CIS Controls V7.1 and identify your organization’s IG. Once you’ve determined which IG is appropriate, you can focus on implementing the CIS Sub-Controls within that IG. You’ll be off to a great start defending your assets in cyberspace.

The CIS Controls V7.1 are also mapped to NIST Cybersecurity Framework (CSF), making them a valuable on-ramp to your team’s cyber defense program.

Arrow Download CIS Controls V7.1 Mapping to NIST CSF